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(54) Advertising delivery method 

(57) A method and apparatus for delivering targeted 
assets to subscribers using communication media, 
wherein each subscriber has a set top box, the method 
comprising the steps of generating a profile of each sub- 
scriber at the set top box associated with the respective 
subscriber, broadcasting an asset to all subscribers 
along with target information; and delivering the asset 
only to subscribers whose profiles match the target in- 
formation. The delivery of the asset, and accumulated 



information from delivery of the asset to other subscrib- 
ers, is reported to a user using an asset delivery notifi- 
cation, without identifying the subscriber to the user. A 
privacy manager is used to strip identification informa- 
tion from the asset delivery notification. The profile, 
which may include real time information, for example on 
whether the subscriber set is on and what it is tuned to, 
is generated by monitoring the viewing habits of the sub- 
scriber and storing the information at a set top box. 
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Description 

BACKGROUND OF THE INVENTION 

[0001] This invention relates to a method of planning, 
purchasing, delivering and monitoring targeted adver- 
tising via television. 

[0002] Targeted advertising campaigns are known to 
be more effective than non-targeted advertisements. It 
is thus desirable for an advertiser to acquire information 
on a customer that permits the advertiserto identify cus- 
tomers that might be more receptive to the advertise- 
ment from the advertiser. The kind of information that 
would assist in targeting customers includes personal 
information such as the kind of television shows the cus- 
tomer watches, geographic location of the customer and 
the gender, age and interests of the customer. Informa- 
tion about a prospective customer that might be useful 
to an advertiser in determining whether to send an ad- 
vertisement to a customer is referred to in this patent 
document as a customer profile. On the other hand, cus- 
tomers wish their privacy and do not want advertisers to 
know their customer profiles. This problem is particularly 
acute for subscribers to interactive multimedia net- 
works. In what follows, customers and prospective cus- 
tomers of advertisers are referred to as subscribers. The 
entities operating the multimedia networks are referred 
to as service providers. 

SUMMARY OF THE INVENTION 

[0003] This invention is directed towards solving the 
problem of targeted advertising on a multimedia network 
while ensuring subscriber privacy. In addition, the inven- 
tion is scalable to multiple advertisers, subscribers and 
service providers. 

[0004] According to an aspect of the invention, there 
is provided a method of delivering targeted assets to 
subscribers using communication media, wherein each 
subscriber has a set top box, the method comprising the 
steps of generating a profile of each subscriber at the 
set top box associated with the respective subscriber, 
broadcasting an asset to all subscribers along with tar- 
get information: and delivering the asset only to sub- 
scribers whose profiles match the target information. 
The delivery of the asset, and accumulated information 
from delivery of the asset to other subscribers, is pref- 
erably reported to a user without identifying the sub- 
scriberto the user. Forsystem checking purposes, there 
may be some users that are identified. A privacy man- 
ager is used to strip identification information from the 
asset delivery notification. The profile, which may in- 
clude real time information, for example on whether the 
subscriber set is on and what it is tuned to, is generated 
by monitoring the viewing habits of the subscriber and 
storing the information at a set top box. 
[0005] According to a further aspect of the invention, 
there is provided a communication system for delivery 



of advertisements to subscribers, the system compris- 
ing a communication network including an information 
manager and a source of advertisements, a set top box 
associated with each subscriber and each set top box 

5 being connected to the communication network, each 
set top box being configured to include a profiler con- 
taining profile information about the subscriber, each set 
top box being configured to include a targeterfor receiv- 
ing advertisement delivery requests containing con- 

io straints, for delivering an advertisement to the subscrib- 
er when the constraints match the profile information 
and for reporting delivery of an advertisement by gen- 
erating an advertisement delivery notification, and a pri- 
vacy manager interfacing between the set top box and 

15 the communication network, the privacy manager being 
configured to strip information identifying the subscriber 
from advertisement delivery notifications and forward in- 
formation on the delivery of the advertisement to the in- 
formation manager. 

20 [0006] According to a further aspect of the invention, 
there is provided a method of delivering advertisements, 
the method comprising the steps of forwarding a quote 
request from a buyer to a service provider, wherein the 
quote request contains a set of one or more constraints 

25 on the subscribers to be shown the advertisement, gen- 
erating a cost estimate for the quote based on audience 
size, wherein the audience size is controlled by the set 
of constraints, returning the cost estimate to the buyer; 
and sending the advertisement for delivery to the sub- 
so scribers defined by the set of constraints. 

[0007] The quote request may be provided to multiple 
service providers and the multiple service providers may 
each provide a response selected from the group con- 
sisting of a no quote response and a quote. Whether an 

35 advertisement is shown to a subscriber may he deter- 
mined by profile information describing the subscriber. 
The determination of whether to show an advertisement 
to a subscriber may be carried out by a targeter at the 
subscriber premises. Advertisement delivery statistics 

40 may be generated and returned to the buyer, and are 
preferably anonymous with respect to the subscriber. 
Preferably, each subscriber is connected to a service 
provider through a privacy manager that strips subscrib- 
er identification information from advertisement delivery 

45 information generated at the subscriber premises. 
[0008] According to a further aspect of the invention, 
there is provided a method of broadcasting messages 
in a network composed of plural geographically distinct 
communication nodes and plural subscriber set top box- 

50 es connected to some but not all of the communication 
nodes, the method comprising the steps of: generating 
a message containing fields identifying user specified 
communication nodes of the network, delivering the 
message to a first communication node in the network, 

55 forwarding the message from the first communication 
node in the network only to the user specified commu- 
nication nodes, and forwarding the message from the 
user specified communication nodes to all subscriber 
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set top boxes connected to the user specified commu- 
nication nodes. The message preferably contains a set 
of one or more constraints, for example geographic con- 
straints, and the method further comprises the steps of: 
broadcasting an advertisement to the plural subscriber 
set top boxes; and showing the advertisement only at 
subscriber set top boxes that have profiles that satisfy 
the set of constraints. 

[0009] According to a further aspect of the invention, 
there is provided a method of delivering advertisements 
to subscribers to a network, the method comprising the 
steps of: broadcasting an advertisement to plural sub- 
scriber set top boxes in the network; and showing the 
advertisement only at subscriber set top boxes that have 
profiles that satisfy a set of constraints associated with 
the advertisement. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[001 0] There will now be described preferred embod- 
iments of the invention, by way of illustration, with ref- 
erence to the figures, in which like numerals denote like 
elements, and in which: 

Fig. 1 is a schematic showing the main components 
of an embodiment of apparatus for carrying out the 
invention; 

Fig. 1 A is a schematic showing a distributed imple- 
mentation of the invention; 
Fig. 2 is a flow diagram illustrating the basic steps 
of a method according to the invention; 
Fig. 2A is a flow diagram illustrating one of the meth- 
od steps of Fig. 2; 

Fig. 3 shows the structure of an asset delivery re- 
quest (ADR); 

Fig. 4 is a flow diagram illustrating the compilation 
of asset delivery statistics; 
Fig. 5 shows the structure of an asset delivery sta- 
tistic (ADS); 

Fig. 6 is a flow diagram illustrating asset delivery 
decision making; 

Fig. 6A is a flow diagram illustrati ng how the targeter 
uses constraints to decide when to deliver an asset; 
Fig. 7 shows the structure of an asset delivery no- 
tification (ADN); and 

Fig. 8 illustrates a quoting method for use with an 
implementation of the invention. 

DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENTS OF THE INVENTION 

[0011] In this patent document, the word "comprising" 
is used in its non-limiting sense to mean that items fol- 
lowing the word in the sentence are included and that 
items not specifically mentioned are not excluded. The 
use of the indefinite article "a" in the claims before an 
element means that one of the elements is specified, 
but does not specifically exclude others of the elements 



being present, unless the context clearly requires that 
there be one and only one of the elements. 
[0012] All lines connecting system components in the 
drawings are conventional communication links. The 

5 communication links may be any of: conventional inter- 
nal links within a conventional general purpose compu- 
ter programmed in accordance with this patent descrip- 
tion, a hardwired equivalent or conventional communi- 
cation links between conventional general purpose 

10 computers programmed in accordance with this patent 
description, and may be hardwired, wireless or any type 
of internet link. In a preferred embodiment of the inven- 
tion, communication between components use internet 
protocol. Since internet protocol is well understood, this 

15 patent description will not provide details of the commu- 
nications in so far as they rely on well known techniques 
such as internet protocol. 

Definitions of words used in this patent document. 

[0013] Ad Campaign - a collection of PDRs which 
work together to present an overall message. 
[0014] ADN (Asset Delivery Notification) - a message 
indicating that on a specific occasion and channel, a 
specific ADR has been delivered to a subscriber. 
[0015] ADR (Asset Delivery Request) - a request to 
deliver an asset to a set of subscribers. 
[0016] Asset - the media to be delivered to the sub- 
scriber (in colloquial terms, an asset is typically an ad- 
vertisement). 

[0017] ADRID (Asset Delivery Request Identifier) - a 
systemwide-unique identifier associated with each 
ADR. 

[0018] ADS (Asset Delivery Statistic) - the ano- 
nymized and aggregated count of the number of sub- 
scribers which were shown a specified occasion of a 
specified ADR. 

[0019] DSTB - digital set top box. Such a box need 
not be literally on a TV set, but is a device that could be 
anywhere in the subscriber's personal domain , including 
being embedded in a television set, and components of 
the device may be placed outside of the subscriber's 
premises. 

[0020] Advertisement - a colloquial term roughly de- 
scribing the media associated with an asset. 
[0021 ] Audience size - the number of times that ADRs 
within a specified PDR will have or has had their asset 
(s) delivered based on the constraints associated with 
each ADR. 

[0022] Constraint - targeting criteria used to select 
when and to whom an ADR's asset is delivered. 
[0023] Communication manager (system compo- 
nent) - manages communication between system com- 
ponents. This device functions as a router, and is similar 
to routers used in the internet, except that instead of IP 
addresses being contained in messages, the messages 
contain address paths containing the names of the des- 
tinations of the messages, and the communication man- 
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ager looks up the corresponding addresses in a data- 
base or directory, which typically will be stored in an in- 
formation manager. 

[0024] Asset Delivery - the act of the targeter request- 
ing that a DSTB's operating system show an asset to 
the subscriber. 

[0025] Geo-demographic segmentation - a system of 
categorizing or classifying small geographic regions 
based on the economic, social or demographic charac- 
teristics of the households within each region. The char- 
acteristics are derived from a wide variety of sources 
including census data, public opinion polls and purchas- 
ing pattern analysis. 

[0026] Geo-demographic segment - one of the cate- 
gories or classifications defined by a geo-demographic 
segmentation system. 

[0027] Ad sales interface (system component) - the 
interface for receiving input from and communication 
with advertisers. 

[0028] Frequency - the maximum number of times 
that an ADR is to be delivered to its targeted audience 
from each DSTB. 

[0029] Asset manager (system component) - the as- 
set repository, which stores advertisements for delivery 
to subscribers. The asset manager may introduce the 
asset to the subscriber stream at various locations in the 
communication network, but preferably adds the asset 
at the DSTB under direction of the targeter. 
[0030] Targeter (system component) - the targeter de- 
cides whether an advertisement should be played to a 
subscriber and tracks what advertisements are played 
and when. 

[0031] Privacy manager (system component) - the 
privacy manager restricts the kind of information that 
can be fed back to a user. 

[0032] Occasion - a single delivery of the asset asso- 
ciated with an ADR. Occasions are numbered starting 
at1 forthefirst delivery of the asset on a particular DSTB 
and incrementing by one for each successive delivery. 
Since an ADN and the resulting ADS include the occa- 
sion number of the delivery, it is possible for an adver- 
tiser to ultimately determine how many subscribers saw 
the asset once, how many saw it twice and so on. 
[0033] Organization - a business/corporate entity that 
interacts with the system. Examples include service pro- 
viders, advertising agencies, media buyers, the opera- 
tor of the system and regulators. Media buyers plan tar- 
geted advertising campaigns, put together the ADRs 
and PDRs and make the decision to actually purchase 
the resulting campaign. A sen/ice provider has the cus- 
tomers who will actually he shown the targeted adver- 
tisements. A cable network provides the programming 
stream within which the targeted advertisements ap- 
pear. The operator of the system manages directory and 
access information. 

[0034] PDR (Package Delivery Request) - a collection 
of possibly ordered ADRs which are managed as a unit 
by all system components (i.e. a PDR and its associated 



ADRs always travel together). Note that since a PDR is 
a collection of ADRs, a reference to a PDR within this 
document implicitly refers to the ADRs within the collec- 
tion unless explicitly indicated otherwise. 
5 [0035] Profile information - the information or data de- 
scribing the household and/or the current audience. 
Profile information is developed by the profiler and used 
by the targeter. 

[0036] Information manager (system component) - 
10 the information repository for reporting collections of in- 
formation relating to the system and advertisers. For ex- 
ample, the information manager stores IP addresses of 
components in the system. 

[0037] Real-time profiler - a profiler plug-in that devel- 
15 ops profile information describing the current audience. 
[0038] Real-time profile - the profile information de- 
veloped by wh ichever real-time profiler plug-ins are cur- 
rently configured within a profiler. 
[0039] Service provider - a company in the business 
20 of delivering television to subscribers (in today's mar- 
ketplace, these are either cable companies, telephone 
companies or satellite companies). 
[0040] Profiler (system compone) - a collection of 
plug-ins that compile information on subscribers. A 
25 household profile contains information like the house- 
hold's geodemographic segment and other descriptive 
information. The household profile does not tend to 
change very quickly. 

[0041] Subscriber - the service provider's customer. 

30 An approximate synonym for audience. 

[0042] Targeted audience - the audience implied by 
the constraints associated with an ADR. 
[0043] User - individuals who interact directly with the 
system. Users are associated with organizations. Note 

35 that subscribers and their households are not consid- 
ered to be users. 

[0044] 1 4 An advertiser or media buyer interacts with 
the system of the invention either directly via the Internet 
or indirectly by working with human intermediaries (i.e. 
40 sales representatives) who are themselves directly con- 
nected. In contrast, the relationship between the system 
of the invention and a service provider is much more 
intimate with system hardware located on the service 
provider's premises and system software running on the 
45 system hardware and on the digital set top boxes (DST- 
Bs) located in their subscribers' homes. 
[0045] Fig. 1 shows the system architecture for an 
embodiment of the invention. Fig. 1 shows the basic 
functions of the components. An implementation show- 
so jng different configurations of the components is shown 
in Fig. 1A. The DSTB 10 is at a subscriber's premises, 
and includes a connected profiler 12 and targeter 14. 
The DSTB 1 0 is a conventional device that contains soft- 
ware that enables the DSTB 1 0 to carry out the profiling 
55 and targeting functions described here. Consequently, 
the profiler 12 and targeter 1 4 are not necessarily divis- 
ible physical elements, but are embedded in the soft- 
ware used to run the DSTB 10. The software defining 
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the profiler 12 and targeter 14 may be readily prepared 
from the description in this patent document. The com- 
ponents of the system architecture operate as individual 
instances in geographically distributed locations. The 
targeter 14 is connected by conventional communica- 5 
tion links to a privacy manager 1 6 and may be connect- 
ed to the asset manager 18 depending on the configu- 
ration of the system as implemented. The asset manag- 
er 1 8 may also be connected directly to the privacy man- 
ager 16. The communication links in Fig. 1 are repre- 
sented by single lines and may be any conventional 
communication link. Both the privacy manager 16 and 
asset manager 1 8 are connected to an information man- 
ager 20. Both the asset manager 18 and information 
manager 20 are connected to a communication manag- 
er 22. which links to an ad sales interface 24. Each of 
the items shown outside of the DSTB 10 and ad sales 
interface 24 may be located at a service provider, and 
may be formed of software loaded into a conventional 
microprocessor with conventional input and output in- 
terfaces. Communication with advertisers occurs prima- 
rily through the ad sales interface 24. The ad sales in- 
terface 24 may be operated by the system operator, and 
need not be associated with any particular service pro- 
vider. 

[0046] Fig. 1 A illustrates the working relationships be- 
tween components of a system according to the inven- 
tion with two service providers. Components associated 
with a first service provider are identified by the suffix 
"a". Components associated with a second service pro- 
vider are identified by the suffix "b". Components with 
the suffix "c" are not associated with any particular serv- 
ice provider, but are operated by the system operator. 
As shown, a communication manager 22a may commu- 
nicate with a single information manager 20a, which 
may communicate with one or more privacy managers 
1 6a. A communication manager 22 and corresponding 
information manager 20 will typically be collocated, for 
example in a single facility or room, and may be in a 
single computer. The privacy managers 16a may each 
communicate with multiple DSTBs 10a according to 
their capacity for handling multiple DSTBs 10. 
[0047] Fig. 1 A also illustrates that an information man- 
ager 20a may communicate with an asset manager 1 8a, 
which may be the service provider's sole asset manager. 
An additional communication manager 22a may act as 
a secure interface between other communication man- 
agers 22 operated by the same service provider and the 
communication managers of other organizations. Each 
communication manager 22 has an information manag- 
er 20 associated with it to provide configuration informa- 
tion about the global network. A communication manag- 
er 22c may be in a location completely controlled by the 
operator of the system, and may be associated with an 
information manager 20c. The communication manag- 
ers 22a, b, c are used by all other communication ori- 
ented system components to route and forward mes- 
sages to other components in the system. Information 



relating to a specific organization is preferably kept at a 
specific information manager, and may be accessed 
through any communication manager in the system. 
The information manager 20 associated with a commu- 
nication manager also provides directory services to the 
communication manager and any system component 
that communicates with the communication manager. 
The directory should indicate for each organization 
where that organization's information is located. 
[0048] When a system component seeks to send a 
message to other system components, it sends a re- 
quest for address information to the information manag- 
er 20 associated with the communication manager 22 
with which the system component is communicating. 
Any of various directory systems may be usedf or storing 
address information. 

[0049] Multiple GUI client interfaces 25, which may 
each be part of a web browser, are run on each respec- 
tive media buyer's computer. A sales interface server 
24c is also connected to the communication manager 
22c and permits communication between the media 
buyer and the communication manager 22c. Media buy- 
ers use their sales interface to plan and purchase tar- 
geted advertising. Additional components may be add- 
ed as desired. A single sales interface 24c for example, 
may be used, that communicates with all other commu- 
nication managers 22.a.b globally, or there may be re- 
gional sales interfaces, eg. one in Europe, one in North 
America, and one or two in Asia. The client interface 25 
preferably presents geographic constraint choices in a 
hierarchy that is consistent across all client interfaces 
25. 

[0050] Each subscriber has a DSTB 1 0 that contains 
a profiler 12 and targeter 14. Referring to Figs. 2 and 
2A, the basic method steps of an embodiment of the in- 
vention will now be described. The profiler 1 2 generates 
a profile of the subscriber (step 30) and stores it at the 
DSTB 10. The system, in response to a request by a 
user to broadcast an asset (step 32). compiles an ADR 
(step 34) and broadcasts it to all DSTBs (step 36). 
[0051] The manner in which an ADR is generated and 
broadcast is illustrated in Fig. 2A. The user, or media 
buyer, first creates an ad campaign that, using the con- 
tract mechanism, specifies a target audience for the 
campaign. Using the ad sales interface 24, the media 
buyer creates a pseudo-PDR or PDX that contains a de- 
scription of the huyer, a description of the advertiser, a 
list of service providers, specified by the user, to which 
the PDR is to be delivered and a number of ADRs (step 
150) that define the ad campaign. Other information 
may be contained in the PDX that is not needed by the 
DSTB 10 such as information informing a computer 
what colour to use to display the request. The PDX is 
then routed through the communication system to the 
information manager 20 responsible for the user's or- 
ganization. The PDX is routed by first sending it to the 
communication manager 22 responsible for communi- 
cations with the ad sales interface 24, which in this case 
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is communication manager 22c in Fig. 1A (step 151). 
The communication manager 22c obtains routing infor- 
mation from the information manager 20c for the user's 
organization. The addresses of the information manag- 
ers 20 for all organizations are stored in the information 
manager 20c. At the communication manager 22c, the 
PDX is forwarded to the communication manager 22 as- 
sociated with the addressed information manager (step 
152) and the communication manager 22 then forwards 
the PDX to the addressed information manager Once 
the PDX arrives at the information manager 20 it is 
stored (step 153). The user now obtains a quote for the 
stored PDX. The quote is obtained in the manner de- 
scribed below in reference to Fig. 8 (step 154). If the 
user determines the quote to be acceptable, a purchase 
approval message is sent from the ad sales interface 24 
to the in formation manager 20 storing the PDX (step 
155). At the information manager 20, a PDR is created 
from the PDX that contains a description of the buyer, a 
description of the advertiser, a number of ADRs, and a 
pair of address paths (step 156). One address path is a 
destination address path that contains a list of the IP 
addresses (and port number if required) for the informa- 
tion managers 22 of the service providers to which the 
buyer has specified that the PDR be sent. The PDR also 
contains a sender address path. As the PDR moves out- 
ward through the network, at each communication man- 
ager 22 at which the PDR arrives, the address of that 
communication manager is moved from the destination 
address path to the sender address path. At each node 
in the network, an acknowledge message can be readily 
generated and sent back along the path followed by the 
outward bound PDR. The PDR is also then forwarded 
by each communication manager 22 at which the PDR 
arrives to any communication manager 22 in the desti- 
nation path (step 157). Pen ultimately, the PDR will arrive 
at the communication manager 22 associated with an 
information manager 20 responsible for a service pro- 
vider in the destination address path. At each of these 
communication managers 22 the PDR is forwarded to 
the associated information manager 20 (step 158). 
[0052] When a PDR arrives at an information manag- 
er 20 that is connected to one or more privacy managers 
16, the information manager 20 checks the geographic 
constraints in the ADRs and forwards the PDR only to 
those privacy managers 16 that are specified by the 
ADRs (step 160). Each privacy manager 16 forwards 
the PDR to all DSTBs 1 0 to which the privacy manager 
16 is connected (step 162). 

[0053] Each DSTB 1 0 decides whether constraints 
associated with the ADRs in the PDR match the stored 
profile of the subscriber (step 38). If there is no match 
at a DSTB 10, the ADR is rejected, and when the asset 
is broadcast, the asset is not shown at that DSTB 10 
(step 40). If there is a match, the ADR is stored at the 
DSTB 1 0. At a time after delivery of the ADR, but before 
the time the asset is to be shown, the asset is delivered 
(step 42) by broadcast 10 the DSTBs 10 in the same 



geographic area to which the ADRs were delivered. On- 
ly those DSTBs 10 that have stored the ADR corre- 
sponding to the asset then show the asset to the sub- 
scriber. The time when the asset is shown to the sub- 

5 scriber will depend on the constraints in the ADR. Thus, 
the asset may be stored pending showing until the con- 
straints are met, as for example until a subscriber has 
turned the TV on and is watching a football game. 
[0054] Upon showing of the asset, the DSTB 1 0 then 

10 reports the asset delivery (step 44) by sending an ADN . 
The system receives the ADN (step 46) at the privacy 
manager 1 6 and constructs aggregated delivery statis- 
tics (ADSs) that contain no information identifying the 
subscriber (step 48). The ADSs from all the privacy 

15 managers 1 6 in the system then are forwarded to the 
information manager 20, which compiles statistics on 
the delivery of the asset (step 50). The information man- 
ager 20 then reports aggregated statistics to the user 
(step 52). 

20 [0055] The communication manager 22 preferably 
uses secure communication links. It is the responsibility 
of the relevant infrastructure provider(s) to ensure that 
the pathways are sufficiently secure. The secure func- 
tion may be provided by conventional secure links. 
25 [0056] If the communication manager 22 is unable to 
deliver a message then the communication manager 22 
may, but is not required to, send an error indication back 
to the sender. When the communication manager22 de- 
livers a message to the target, the communication man- 
so ager 22 also provides the target with the identity of the 
sender. The communication manager 22 may take con- 
ventional measures to ensure that the message was ac- 
tually sent by the identified sender, that the message 
has not been modified while in transit, and that the mes- 
35 sage is actually targeted at the receiving component. 
The communication manager 22 does not need to guar- 
antee that a message that is sent is actually delivered, 
two delivered messages are not actually duplicates of a 
single sent message, or two delivered messages from 
40 the same or different senders arrive in the same order 
in which they were sent by their respective senders. 
[0057] A communication manager 22 assumes that its 
associated components are not subject to compromise. 
In contrast, a communication manager 22 assumes that 
45 remote communication managers 22 at other locations 
and their associated components are subject to com- 
promise and takes appropriate conventional measures 
to reduce the impact of a remote compromise to an ap- 
propriate level. 

so [0058] The ad sales interface 24 is used to plan, pur- 
chase and monitor ad campaigns. The tasks performed 
by the ad sales interface 24 are creation of new ad cam- 
paigns (specified by PDRs), specification of ADRs (i.e. 
constraints, frequencies and assets), placement of 

55 ADRs within PDRs, storing and retrieving PDRs from 
information manager, campaign planning (i.e. what-if 
analysis), purchasing of ad campaigns, and reviewing 
the results of ad campaigns. The ad sales interface 24 
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must ensure that an ADR is not sold which will be dis- 
tributed to DSTBs which do not support the constraints 
specified by the ADR. The structure of an ADR is shown 
in Fig. 3. The ADR is an electronic message 60 contain- 
ing fields, including a suitable header 62, a field 64 that 
specifies the asset to be delivered to the subscribers, a 
field or fields 66 that specify the constraints describing 
when and to which subscribers the asset is to be deliv- 
ered to, a field 68 that specifies the frequency (i.e. 
number of occasions that the asset is to be delivered to 
the subscriber) and the ADR's ADRID 70. The field 64 
has the form of an internet protocol URL (universal re- 
source locator) that specifies the asset to be delivered. 
[0059] The information manager 20 acts primarily as 
a data repository containing: system configuration infor- 
mation, information describing the organizations that in- 
teract with the system (e.g. system operator, advertising 
agencies, advertisers, media buyers and service provid- 
ers), user information (lists of users within each organ- 
ization including who they are, what duties they perform 
and what privileges they have), billing information, cost- 
ing and pricing information, auditing information, ad 
campaign information (i.e. stored PDRs and the ADSs 
associated with their ADRs), geographic information (i. 
e. how the system views the division of the world into 
regions), and for each privacy manager 16's collection 
of DSTBs, information describing: the geographic area 
covered by the DSTBs 1 0, the media formats supported 
by the DSTBs 1 0, and the constraints supported by the 
DSTBs. This particular category of information de- 
scribes the DSTBs associated with each privacy man- 
ager 16 as a collection (i.e. no information describing a 
particular DSTB is stored within information manager 
20). The information manager 20 stores geographic in- 
formation on service providers and system components 
in any suitable manner. Geographic location may be de- 
fined for example using postal codes, zip codes or the 
equivalent postal address. 

[0060] The information manager 20 is also responsi- 
ble for scheduling the distribution and actually distribut- 
ing the PDRs to the privacy manager 1 6 for distribution 
to the DSTBs. The information manager 20 rejects an 
attempt to distribute or purchase a PDR which contains 
ADRs whose constraints are not supported by the DST- 
Bs within the geographic area targeted by the ADRs. 
The information manager 20 responds to queries as to 
whether the DSTBs within a particular geographic area 
support a specified set of constraints. The information 
manager 20 provides audience size predictions and 
pricing quotes for PDRs created by the ad sales inter- 
face 24. The information manager 20 performs coarse 
geographic targeting operations on PDRs (e.g. ensuring 
that a PDR targeted at an Alberta audience is not sent 
to privacy managers 1 6 that are located in Ontario). The 
information manager 20 provides an administrative in- 
terface (i.e. GUI and/or command line) which can be 
used to administer the system. 
[0061] Every communication manager 22 hasasingle 



information manager 20 associated with it and every in- 
formation manager 20 is associated with a single com- 
munication manager 22. The information manager 20 
provides the communication manager 22 with system 

5 configuration information. Each organization has asso- 
ciated with it a single information manager 20 that is the 
primary authority for information related to that organi- 
zation. Organizations may also have one or more infor- 
mation managers 20 acting as secondary authorities for 

10 the organization. An information manager 20 that is au- 
thoritative for an organization provides the following 
services: a variety of information about the organization, 
storage for PDRs created by users associated with the 
organization, authentication and authorization services 

15 for users associated with the organization, in the case 
of a service provider organization, storage of PDRs dis- 
tributed to DSTBs 10 within the organization, audience 
size projection and pricing information used by the ad 
sales interface 24 when performing what-if analysis or 

20 quoting a PDR which contains ADRs that target sub- 
scribers associated with the service provider. A second- 
ary information manager 20 for an organization may or 
may not allow updates to the service provider related 
data (i.e. secondary authoritative information managers 

25 20 are allowed to be read-only). 

[0062] Referring to Fig. 4, after a privacy manager 16 
receives an ADN and strips DSTB ID information, the 
privacy manager 1 6 aggregates like ADNs into ADSs 
(step 71) and forwards an ADS to the information man- 

30 ager 20 (step 72) . When an ADS arrives from the privacy 
manager 16 (step 74), the information manager 20 as- 
sociates it with the ADR containing the ADRID, occasion 
number and cable network ID from the ADS (step 76). 
If there is already an ADS associated with the ADR then 

35 the count from the newly arrived ADS is added to the 
count in the existing ADS and the newly arrived ADS is 
discarded (step 78). The information manager 20 should 
be careful to ensure that if duplicate ADSs arrive then 
the count value within the duplicates is only accounted 

40 for once. 

[0063] The privacy manager 1 6 is distributed as mul- 
tiple instances operating in service provider sites (typi- 
cally relatively close in network terms to the service pro- 
vider's head-end or central office locations). The privacy 

45 manager 1 6 is responsible for ensuring that no informa- 
tion associated with an individual subscriber is leaked 
out to the rest of the system, distributing PDRs to the 
targeters 14 on the individual DSTBs 10, distributing 
small assets (e.g. banner ads) to the DSTBs 1 0) de- 

50 pending on the configuration, distributing large assets 
(e.g. MPEGs) to the DSTBs 1 0, and aggregating ADNs 
into ADSs. 

[0064] There is at least one privacy manager 1 6 as- 
sociated with each service provider that is responsible 
55 for interfacing with the service provider's DSTB. Large 
service providers may require multiple privacy manag- 
ers 1 6 depending on their network structure, size of their 
subscriber base and geographic considerations. Priva- 
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cy managers 1 6 should not be shared between service 
providers. The DSTBs associated with a particular pri- 
vacy manager 1 6 are said to be within the privacy man- 
ager's domain. 

[0065] Depending on the configuration, the privacy 5 
manager 16 may need to maintain a list of the DSTBs 
within its domain in order to facilitate distribution of 
PDRsto the DSTBs. The privacy manager 16 is the only 
system component outside of the DSTBs 10 with any 
knowledge of individual subscribers and their DSTBs. If 
the information manager 20 sends a PDR to a privacy 
manager 1 6 then the privacy manager 1 6 is expected 
to distribute it to all the DSTBs 10 that it is responsible 
for. 

[0066] When distributing assets to the DSTBs 1 0, the 
privacy manager 16 must ensure that each DSTB re- 
ceives the asset's media in a format that it can deliver 
to the subscriber. An ADN is sent by the targeter 1 4 to 
the privacy manager 1 6 whenever an ADR's asset is de- 
livered. The privacy manager 16 uses ADS objects to 
maintain counts of recently arrived ADNs with identical 
ADRID, cable network IDs and occasion number com- 
binations. 

[0067] Referring to Fig. 5, each ADS 80 contains a 
suitable header 82 followed by fields for the following 
information; an ADRID field 84, an occasion number 86, 
a Cable Network identifier 88, and a count 90 of the 
number of recently arrived ADNs with the same ADRID, 
occasion number values and cable network ID. The pri- 
vacy manager 1 6 attempts to detect duplicate ADNs ar- 
riving from the same targeter instance 14. Duplicate 
ADNs are discarded (i.e. not counted). 
[0068] On an as-needed, periodic basis (roughly eve- 
ry fifteen minutes if practical), the privacy manager 16 
forwards its collection of ADSs to the information man- 
ager 20 and then discards them. The privacy manager 
16 only communicates with the asset manager 18, in- 
formation manager 20 and the DSTBs 10. That is, the 
privacy manager 16 is not communication manager- 
aware. 

[0069] The privacy manager 16 is permitted to as- 
sume that the communication pathways between it and 
the asset manager 1 8 and the information manager 20 
are secure. The privacy manager 1 6 should not assume 
that the communication pathway(s) between it and the 
DSTBs 10 are secure. The protocol used to communi- 
cate between the privacy manager 1 6 and targeter 1 4 
should be sufficiently secure and robust to provide an 
appropriate level of assurance that traffic is not being 
intercepted or tampered with and be respectful of the 
privacy of the subscriber. Conventional methods may be 
used to achieve this. Specifically, the privacy manager 
16 should never take notice of whether a particular tar- 
geter 14 has accepted or rejected a PDR in whole or in 
part. To the extent that the privacy manager 16 may be 
able to deduce whether a particular targeter 14 has ac- 
cepted or rejected a PDR in whole or in part, the privacy 
manager 16 should be programmed not to. In addition, 



the privacy manager 16 should not retain information on 
persistent media (other than operating system paging 
space) which could be used to determine if a targeter 
14 has accepted or rejected a PDR. The privacy man- 
ager 16 may only broadcast information to its DSTBs (i. 
e. it should not provide information to some DSTBs 
which is not provided to other DSTBs). The protocol may 
allow a privacy manager 1 6 to detect missed ADNs and 
to request that a particular DSTB provide it with missing 
ADNs. The protocol may allow a targeter 14 to detect 
missed PDRs and to request that Privacy manager pro- 
vide it with missing PDRs. 

[0070] An exception to the broadcast rule is that the 
privacy manager 16 may retransmit requested PDRs 
and the privacy manager 16 may divide DSTBs 1 0 into 
classes based on their ability to deliver different media 
formats and then provide the different DSTB classes 
with asset media in a format appropriate to the DSTB 
class. 

[0071 ] The asset manager 1 8 may either manage the 
assets directly or provide proxy services to a third party 
asset manager. From the system perspective, asset 
management includes providing information about as- 
set characteristics (duration, format, availability) and 
distributing or arranging for the distribution of assets to 
the DSTBs. The services/information that the asset 
manager 18 provides are: asset media information in- 
cluding: providing unique identifiers for each asset, any 
access restrictions relating to advertisers, media buyers 
and/or service providers; media format availability infor- 
mation (i.e. whatformat(s) the asset is available in); any 
special asset media requirements (e.g. whether or not 
the asset requires the ability for the user to interact with 
the asset); depending on the configuration, distribution 
of the asset media to appropriate privacy managers 16 
(either directly when the relevant asset manager 1 8 and 
privacy manager 1 6 are co-located and via communica- 
tion manager 22 and information manager 20 other- 
wise); and, depending on the configuration, distribution 
of the asset media directly to the targeters 14 on the 
DSTBs. 

[0072] Any distribution of asset media to a privacy 
manager 16 and/or targeter 14 occurs when a request 
message is received from the information manager 20. 
The information manager 20 is responsible for schedul- 
ing and requesting the distribution of asset media. The 
request message to the asset manager 1 8 is generated 
by an information manager 20 only after an ADR refer- 
ring to the asset has been broadcast through the net- 
work. The asset is broadcast along with the same asset 
identifier that was used in the ADR corresponding to the 
asset. As noted above, a variety of methods may be 
used to broadcast the asset since decisions about 
whether to show the asset are made at the DSTBs 1 0. 
[0073] The profiler 1 2 exists entirely within the DSTB 
10 and is responsible for managing profiles within the 
DSTB 10. The profiler 12 manages household profiles 
and real-time profiles. The profiler 12 may attempt to 
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distinguish between individual members or groups of 
members of the subscriber's household. Information on 
the members of the household may be collected by the 
profiler 1 2 and then used by real time profilers to predict 
which members or groups of members are actually 
viewing the television in real time. 
[0074] The profiler 1 2 uses profiler plug-ins to gener- 
ate the data required to satisfy ADR constraints. The tar- 
geter 1 4 is responsible for actually delivering the assets 
within ADRs subject to the ADR's constraints. The tar- 
geter 14 uses the household profile(s) within the DSTB 
1 0 to decide whether to silently accept or reject each 
individual ADR within a PDR received by it from the pri- 
vacy manager 1 6. Referring to Fig. 6, upon receipt of an 
ADR (step 91), the targeter 14 sends a request (step 
92) to the prof iler 1 2 for information on the stored profiles 
within the profiler 12. The profiler 12 receives the re- 
quest (step 93), retrieves the stored profile(s) (step 94) 
and forwards the stored profile information to the tar- 
geter (steps 95, 96). The targeter 1 4 determines if there 
is any likelihood that the ADR's asset will be delivered 
to the subscriber (step 97). This determination is per- 
formed by selecting all constraints from the ADR which 
refer to profile data which will likely remain static for long 
periods of time (i e. household profile data) and applying 
these selected constraints to the household profile data. 
Constraints which refer to real-time profile data are ig- 
nored during this determination. If the determination in- 
dicates that the ADR's asset will definitely not be deliv- 
ered by the DSTB 1 0 then the targeter 14 discards the 
ADR (step 98). Otherwise, the targeter 14 saves the 
ADR (step 99). Later, after the ADR's asset has been 
received by the DSTB 1 0 (step 1 00), the targeter 1 4 us- 
es the ADR's constraints which refer to real-time profile 
data to determine when to deliver the ADR's asset (step 
102). 

[0075] A constraint is said to be satisfied if the param- 
eters of the constraint are currently true. For example, 
a time constraint is satisfied if the DSTB's clock is within 
the time range or ranges specified by the time constraint 
and a gender constraint is satisfied if the audience gen- 
der specified by the constraint (for example an audience 
containing females) matches the profile data describing 
the current audience (for example an audience of mixed 
males and females or an audience of females). At any 
given point in time, the targeter 14 has zero or more 
ADRs which it has saved for future delivery. On a peri- 
odic basis (preferably about once a minute in order to 
ensure prompt satisfaction of time constraints), the tar- 
geter 14 discards expired ADRs and searches for an 
ADR which can be delivered. 

[0076] Refering to Fig. 6A, this process works as fol- 
lows. The targeter waits for the start of the next cycle 
(step 170) The targeter 14 then checks any time con- 
straints within each saved ADR to determine if any of 
the ADRs have expired because the DSTBs clock has 
advanced to the point where the ADR can never be de- 
livered again. Expired ADRs are discarded (step 172). 



The targeter 14 then searches for an ADR whose asset 
is currently stored on the DSTB and whose constraints 
are all currently satisfied (step 174). If none are found 
(step 176) then the targeter 14 resumes waiting for the 

5 start of the next cycle (back to step 170). Otherwise, the 
targeter 14 requests that the DSTB's operating system 
deliver the ADR's asset (step 1 78). The targeter 14 then 
creates an asset delivery notification and sends it to the 
privacy manager 1 6 (step 1 80). The targeter 1 4 then in- 
fo crements the count within the ADR of the number of 
times that it has been delivered (step 182). If the count 
within the ADR is equal to the requested frequency for 
the ADR, the ADR is discarded (step 1 72). The targeter 
14 then resumes waiting for the start of the next cycle 

15 (step 170). 

[0077] For example, the profiler 1 2 might monitor the 
extent to which, say, football programs are watched by 
the subscriber. If more than, say, one hour, is spent 
watching football by the subscriber, the profiler 1 2 might 

20 save in its memory an indication that the viewer is male. 
If the targeter 14 has received an ADR with a constraint 
that an asset is intended for men, as identified by a con- 
straint in the ADR, then the targeter 14 would deliver the 
asset if the profiler 12 returned an indication that the 

25 subscriber was male. If there was a woman in the sub- 
scriber's household, who watched, say, cooking shows, 
the profiler 1 2 may also keep a real time track of what 
program is being watched, and assess for any time pe- 
riod whether the viewer then watching television was 

30 male orfemale. Upon receiving and storing an ADR and 
the corresponding asset the targeter 14 can query the 
viewer status at the profiler 12, and if the viewer was 
likely to be male, deliver the asset. 
[0078] An example of a profiler plug-in for gender de- 

35 termination will now be described. The gender plug-in 
(GP) predicts, in real-time, the gender(s) of the person 
(s) watching a particular TV set. The GP monitors the 
TV programs being watched. The GP has a table of gen- 
der breakdown forTV programs. The GP uses these two 

40 pieces of information to make its prediction. The output 
of the GP is two real numbers F and M. Both of these 
numbers are in the range of [0.0, 1.0]. The M value is 
the likelihood that a Male is currently watching the TV. 
A value of 0.0 denotes that it is highly unlikely that there 

45 is a Male present, a value of 1 .0 corresponds to a high 
probability of a Male audience member. 0.5 is an indi- 
cation that the GP has no opinion. The F value is simi- 
larly derived for a Female audience. A gender constraint 
in an ADR may then be based on whether the F and M 

50 values at the profiler 1 2 are greater or less than a given 
value. 

[0079] From time to time (typically weekly) a table of 
GP data is loaded into the GP from Head Office. This 
table, called the GP Program Data (GPPD), lists TV pro- 
55 grams, categories and genres. Each entry in the table 
provides an audience composition value. The audience 
composition, C, is the fraction of all TV viewers for the 
given program (or category or genre) that is female. 
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Male audience size is 1 • C. These values are deter- 
mined from TV rating data. A value of 0.5 Indicates an 
even split between male and female viewers (and 1 .0 is 
all female and 0.0 is all male). At regular intervals (e.g. 
every 5 minutes), the GP determines the program that 5 
is on TV, It also determines a category and a genre for 
the program. The category and genre information is de- 
rived from an Electronic Program Guide (EPG) that is 
present in the Digital Set Top Box (DSTB). The GP first 
attempts to lookup the program in the GPPD, if it cannot 
find the program, then it attempts to lookup the program 
category, if it cannot find the category, it attempts to 
lookup the genre. This lookup will result in an audience 
composition value C. Finally GP updates its values for 
M and F (M' and F) based on the previous values of M, 
F, C and k, k is a decay constant that is based on sam- 
pling period. The update is performed according to the 
equations: 

F' = (k*F) + (1-k)*C 



M*=(k*M) + (1-k)*(1-C) 

[0080] Profilers use various combinations of informa- 
tion to generate their predictions at different time scales. 
A profiler that identifies the household's geodemograph- 
ic segmentation operates with a very long time scale. A 
profiler that determines if there is currently a viewer 
present operates on a time scale measured in units of 
a few tens of minutes. A gender profiler may produce a 
long term prediction of the makeup of the viewing house- 
hold in addition to generating a more realtime prediction 
of the makeup of the people currently viewing the TV 
set. Such a profiler may be implemented as two sepa- 
rate profilers with the realtime gender profiler using the 
information generated by the long term gender profiler. 
Alternatively, such a profiler may exist as a single entity 
which provides both time scales of gender predictions. 
Profilers may use various information to generate pro- 
files, including present show viewed and gender make- 
up of show audiences. Information on the show viewed 
may come from EPG (electronic program guide) data 
used to provide the viewer with programming informa- 
tion or from EPG data that the system operator down- 
loads on a broadcast basis. A geodemographic profiler 
may operate by mapping the set top box's postal code 
or zip code to the household's geodemographic seg- 
ment using postal/zip code to segment mapping tables 
downloaded by the system operator on a broadcast ba- 
sis. The set top box's postal code or zip code may be 
either programmed into the box when it is setup or oth- 
erwise made available to the system operator. A profiler 
plug-in may also use information about the household 
makeup that is stored in the DSTB. 
[0081] The ADRs that are purchased by the media 
buyer(s) and that eventually arrive on the set top boxes 



specify the target audience that the ADR's media is to 
be presented to. This targeting is done by associating 
zero or more targeting constraints with each ADR. A tar- 
geting constraint specifies to whom and under what con- 
ditions an ADR's media is to be presented. Targeting 
constraints correspond to profile information, but not 
necessarily with a one-to-one relationship, since a sin- 
gle targeting constraint may use more than one profile. 
A "show this to a Spanish audience" constraint may use, 
for example, a relatively static or long-term "the lan- 
guages that are spoken in this household" profile to de- 
cide which set top boxes should retain the ADR for future 
delivery and use a realtime "the language of the current 
TV show" profiler to decide when to actually deliver the 
ad, Alternatively, a single profile may determine various 
attributes of the current program (language, genre, 
MPAA rating) and the resulting conclusions may be 
used in a variety of constraints (language constraints, 
genre constraints, rating constraints, age constraints). 
Some constraints may not use profilers at all. For exam- 
ple, the time constraint (for example, "show this ad be- 
tween 2000 and 2200") doesn't use a profile but rather 
just obtains the current time from the DSTB as required. 
[0082] Examples of constraints are: 

AdultsOnlyConstraint: restricts the advertisement 
to when there is not likely to be a child present. 
CategoryConstraint: restricts the advertisement to 
a list of categories of shows or indicates that the 
advertisement should avoid a list of categories of 
shows. Categories include Science Fiction. News, 
Sports, etc. 

CompetitorConstraint: can be used to ensure that 
the advertisement is not shown in the same hour as 
a targeted advertisement belonging to a competitor. 
FrequencyConstraint (mandatory): Indicates how 
often the ad should be played. Frequency may be 
specified in a separate field, or within the con- 
straints in an ADR. 

GenderConstraint: restricts the ad to particular gen- 
ders (eg. "show this to an audience which is likely 
to contain female viewers" or "show this to an audi- 
ence which is unlikely to contain female viewers", 
etc). There are two parameters with three possible 
values per parameter: - avoid, targeted or dontcare 
about females - avoid, targeted or dont care about 
males, "avoid" means try to avoid showing ad when 
that gender is likely to be present, "target" means 
try to show ad when that gender is likely to be 
present. These yield various possibilities arising 
from the combinations of the two parameters. 
GeographicConstraint (mandatory): restrict the ad 
to a particular geographic area. 
ServiceProviderConstraint: restrict the ad to a par- 
ticular service provider. 

PacingConstraint: allows the advertiser to control 
the rate at which occasions of the ad are shown. 
LanguageConstaint: restricts the ad to be shown 
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when a program in a specific language is shown. 
GeoDemographicConstraint: restricts the ad to one 
or more geodemographic segments, which may be 
defined by existing geodemographic models such 
as PSYTE, Prism or census data. 
ProgramConstraint: restricts the ad to be delivered 
in one of a list of programs or prevents the ad from 
being delivered in any of a list of programs. This al- 
lows advertisers to target particular programs or to 
avoid programs that they dont want to be associat- 
ed with. 

TimeConstraint: restricts the ad to being delivered 
within a list of time ranges. 
FamilyConstraint: restricts the ad to being delivered 
to households that probably have children (or prob- 
ably dont have children). 

Category WatcherConstraint: restricts the ad to be- 
ing delivered to households that are known to watch 
particular categories of shows (or who don't watch 
particular categories). 

Program WatcherConstraint: restricts the ad to be- 
ing delivered to households that are known to watch 
particular shows (or known to not watch particular 
shows). This is analogous to the CategoryWatcher- 
Constraint. 

LifespanConstraint: an ADR should not last forever. 
It should expire after some period. 

[0083] The targeter 1 4 preferably uses targeting plug- 
ins to satisfy ADR constraints. When the targeter 1 4 de- 
livers an ADR's asset, it sends an ADN to the privacy 
manager 1 6. As shown in Fig. 7, an ADN 1 06 preferably 
contains, besides a header 108, preferably exactly the 
following information (i.e. no more and no less): (I) a 
64-bit ADRID 1 1 0 specifying which ADR's asset's media 
has been delivered, (2) a 16-bit occasion number 112 
indicating which occasion of the ADR this ADN repre- 
sents, (3) a channel 114 and time 116 that the ADR was 
delivered on, (4) a 1 6-bit serial number 118 which is in- 
cremented by one for each new ADN sent to the privacy 
manager 16 and (5) a maximum 64-bit identifier 120 
which uniquely identifies the DSTB. 
[0084] The privacy manager 1 6 may use the 1 6-bit se- 
rial number and the 64-bit DSTB identifier to determine 
if a newly received ADN is a duplicate of an ADN previ- 
ously sent by the DSTB or if any ADNs have been 
missed. The privacy manager 1 6 uses the channel and 
time fields to derive which Cable Network the ADR was 
delivered on. The privacy manager 1 6 may request that 
a DSTB 10 re-transmit any ADNs which have been 
missed. The targeter 1 4 can indicate to the privacy man- 
ager 16 that the requested ADN has been irretrievably 
lost. 

[0085] The privacy manager 16 separates the DSTB 
identifier from the other fields as soon as it has been 
determined whether the ADN is a duplicate or not. The 
privacy manager 1 6 should not be programmed to reas- 
sociate an ADRID (with or without the occasion number) 



with the DSTB-identifier that it came from once the 
DSTB identifier has been stripped off. In addition, the 
privacy manager 16 should not allowthe association be- 
tween the ADRID (with or without the occasion number) 
5 and the DSTB-identifier to be stored on persistent me- 
dia. 

[0086] Constraints are used by advertisers and media 
buyers to specify the conditions under which an ADR is 
to be delivered. The constraint-specification plug-ins 
10 within the ad sales interface 24, the household and real- 
time profiling plug-ins within the profiler 12 and the tar- 
geting plug-ins within the targeter 1 4 must be coordinat- 
ed to ensure that an ADR's constraints are correctly im- 
plemented. 

15 [0087] Bach system component is responsible for 
providing its own local task scheduling facility. Compo- 
nents do not provide asynchronous event notification 
services to other components and components do not 
use polling as a substitute for asynchronous notification. 

20 in practical terms, task scheduling is limited to (I) the 
information manager 20 scheduling the distribution of 
ADRs to the privacy manager 16, (2) the privacy man- 
ager 1 6 determining when the asset manager 1 8 should 
distribute assets to the DSTBs and (3) the targeter 14 

25 scheduling asset delivery. 

[0088] in order to develop, test and audit a system 
configuration according to the invention, it will be nec- 
essary to be able to have expanded access to the 
DSTB-resident information for some subscribers. This 

30 requirement is satisfied by the system concept of "run 
naked" mode. A subscriber who elects to "run naked" 
informs their service provider. The service provider in- 
forms the information manager 20 which configures the 
relevant targeter 14 instance to "run naked" and the rel- 

35 evant privacy manager 16 instance to accept the "run 
naked" mode information. 

[0089] There are two levels of "run naked" mode and 
a subscriber may elect to run at either or both levels. In 
the "partially clothed" mode, the DSTB 1 0 provides pro- 

40 file information to the privacy manager 1 6 which is used 
to provide auditing capabilities. Data collected in "par- 
tially clothed" mode must be protected to ensure that 
information which could identify the particular subscrib- 
er is not made available to third parties or system com- 

45 ponents beyond the information manager20 and the pri- 
vacy manager 1 6. 

[0090] In the "bare naked" mode, the DSTB 1 0 pro- 
vides a wide range of information and may even run spe- 
cial software not normally loaded into the DSTB 10. This 

50 information is made available to system developers. 
The subscriber should assume that they can and prob- 
ably will be identified by the system developer and pos- 
sibly other third parties via the information. Note that a 
subscriber running "bare naked" need not also run "par- 

55 tially clothed" (i.e. the two modes are separate and dis- 
tinct). The system operator will need to develop policies 
which control and describe access to "bare naked" and 
"partially clothed" information according to the needs of 
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the subscribers. 

[0091 ] Preferably, each user is associated with a par- 
ticular organization, and all information relating to a par- 
ticular organization is tagged to identify the organization 
to which the information relates. Security policies may 
therefore be implemented at an organization level, so 
that, for example, a user associated with one organiza- 
tion may not access information related to another or- 
ganization. Each organization's information is managed 
and maintained by a particular information manager 20. 
Data packets created for an organization are stored by 
and accessed from the information manager 20 respon- 
sible for the organization that wishes the data packet 
created. More than one organization may be managed 
by a particular information manager 20. Each organiza- 
tion is supported and managed as a distinct entity. This 
includes provision of separate information repositories 
so that information for two different organizations sup- 
ported by the same information manager 20 are man- 
aged separately, information targeted for a particular or- 
ganization is thus sent to the information manager 20 
responsible for that organization. 
[0092] A media buyer uses a sales interface to pian a 
targeted ad delivery request. To obtain a quote, referring 
to Fig. 1A and Fig. 8. a buyer saves information about 
the PDX on its computer using the sales interface client 
25 (step 120), and sends a quote request message to 
its sales interface server 24 (step 122). The sales inter- 
face server 24 forwards the request to the information 
manager 20 responsible for the buyer (step 124). The 
quote request designates the PDX that is to be quoted. 
The information manager 20 retrieves the specified PDX 
(step 125) and verifies that the PDX contains sufficient 
information to be quoted (step 126). If the PDX is incom- 
plete, a request rejected message is sent back to the 
sales interface client 25 (step 128). If the request is com- 
plete, a further quote request message is sent to each 
service provider whose geographic coverage area in- 
cludes at least part of the geographic area targeted by 
the request (step 130). The media buyer may limit the 
request to a specific set of service providers regardless 
of the geographic area targeted by the request although 
the request is still not sent to service providers outside 
of the targeted geographic area. The count of the 
number of service providers who were sent the quote 
request message is saved with the PDX in a database 
in the information manager 20 (step 1 32). The quote re- 
quest message sent by the information manager 20 to 
the various service providers includes a copy of the PDX 
representing the targeted ad delivery request. 
[0093] The information manager 20 for each service 
provider checks the quote request and its database to 
determine whether information to generate a quote is 
available (step 134). If the information is available, an 
estimate of the number of times that the req uesf s media 
will be shown if the request is actually purchased is gen- 
erated (step 136). The estimate may also be generated 
at a number of information managers 20 that share the 



ADR geographic targeting constraint, if more than one 
has relevant information not duplicated elsewhere atthe 
service provider, and the estimates returned to the serv- 
ice provider's primary information manager 20 and 

5 summed. If no quote is available from stored or acces- 
sible information, or if the media buyer is blacklisted 
(due for example to bad debts), a no quote response is 
generated and returned (step 138). 
[0094] Quotes depend on predicted audience size. 

10 Audience size is predicted at the information managers 
by plug-ins from historical data for similar ADRs. If any 
information manager for a particular service provider to 
which the quote request is sent returns a no quote avail- 
able message, then the buyer is provided with a no 

15 quote available message. Partial quotes may be made 
available to be media buyers. Any information manager 
20 that sends a quote request message expects a re- 
sponse within a reasonable amount of time. If the re- 
sponse for the quote request takes longer, the response 

20 is assumed to be no response. Since a human awaits 
the response, a reasonable time may be a few seconds. 
The message returned to the buyer by a service provider 
contains either a no quote available report, or an esti- 
mate of the audience size and price (step 140). Each 

25 service provider's response is kept separate from the 
responses from other service providers to provide a cost 
breakdown per service provider. The buyer may then 
purchase the PDX, try again with different data or try to 
negotiate a price. 

30 [0095] When a PDX is purchased by the buyer, a PDR 
is created for the PDX at the buyer's information man- 
ager 20 and the PDR is sent to the targeted service pro- 
viders' information managers 20. Each targeted service 
provider's public accessible information manager 20 

35 stores the request, and delivers it to other information 
managers 20, if any, associated with the same service 
provider. Irrelevant geographic constraint data may be 
deleted as the PDR is delivered to various geographic 
regions. When the PDR is due to be delivered, it is sent 

40 to the appropriate privacy manager 16, and then for- 
warded to the corresponding DSTBs 10. Each DS TB 
1 0 that gets the request inspects it to see if there is any 
hope of delivering the request on the DSTB 1 0. This de- 
cision is based on the results of profilers with a long 

45 enough time horizon that their predictions will remain 
valid for the entire time span of the request (eg. geo- 
demographic information). Each DSTB 10 either saves 
the request for future delivery or discards it, without dis- 
closing whether it did so to the privacy manager 1 6. Up- 

50 on receipt at a DSTB 1 0, any remaining geographic con- 
straint data may be discarded. At an appropriate time 
shortly before the start of the time span of the request, 
information managers 20 connected to the privacy man- 
agers 16 request the asset managers 18 to deliver as- 

55 sets to the DSTBs 1 0. As the asset(s) arrive on each 
DSTB 1 0, they are either discarded or saved depending 
on whether they correspond to previously saved PDRs 
or not. Again, neither the privacy manager 1 6 or the as- 
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3. The method of claim 2 in which reporting to a user 
the delivery of the asset does not identify the sub- 
scriber to which the asset was delivered. 

5 4. The method of claim 2 in which reporting to a user 
the delivery of the asset identifies a group of sub- 
scribers and does not identify a different group of 
subscribers. 

10 5. The method of claim 2, 3 or 4 in which reporting the 
delivery of the asset comprises the steps of, for 
each subscriber: 

forwarding an asset delivery notification from 
15 the set top box to a privacy manager, in which 

the asset delivery notification contains informa- 
tion on the identity of the subscriber; and 
forwarding information from the asset delivery 
notification to an information manager after re- 
20 moving the information on the identity of the 

subscriber. 

6. The method of claim 5 further comprising the step 
of compiling information on asset delivery from plu- 
25 ral subscribers. 



set manager 18 is told whether the asset is saved or 
discarded. When the asset is delivered by a DSTB 10, 
it sends an ADN to its privacy manager 18. The ADN 
indicates which ADR was delivered, which delivery oc- 
currence it was and what channel it was delivered on. 
The privacy managers 16 aggregate like ADNs into 
ADSs and forward the ADSs to their information man- 
agers 20 from time to time (soon enough that reasonably 
prompt results are available to the media buyer but not 
so often that excessive effort and/or bandwidth is ex- 
pended on the task). The information managers 20 ag- 
gregrate like ADSs and forward them onwards towards 
the buyer responsible for the ADR (again, soon enough 
to provide reasonably prompt results but not so often as 
to waste effort and/or bandwidth). As the ADSs arrive 
on the media buyer's information manager 20, they are 
aggregated and stored with the original ad delivery re- 
quest. The buyer can request to see any already stored 
ADSs as appropriate. 

[0096] An asset manager organization for each asset 
manager 1 8 may also be used by the information man- 
agers for messaging. Transmission of assets from the 
asset managers 1 8 may be sent via information manag- 
er organization-oriented messages to the appropriate 
privacy managers 1 6 and then out to the DSTBs 1 0, via 
other service provider equipment for forwarding to DST- 
Bs 10 (without using privacy managers 16). When mul- 
tiple communication managers 22 are used, a secure 
messaging protocol may be used for communication be- 
tween communication managers 22. An asset manager 
18 typically forwards an ad to a targeter 14 at a DSTB 
10 to be inserted in a programming stream by the tar- 
geter 14. The asset manager 18 may also forward the 
asset to other locations, including the cable network 
head end, or intermediate locations, for addition into the 
programming stream under direction of the targeter 14. 
[0097] Immaterial modifications may be made to the 
invention described here without departing from the es- 
sence of the invention. 



Claims 

1 . A method of delivering targeted assets to subscrib- 
ers using communication media, wherein each sub- 
scriber has a set top box, the method comprising 
the steps of: 

generating a profile of each subscriber at the 
set top box associated with the respective sub- 
scriber; 

broadcasting an asset to all subscribers along 
with target information; and 
delivering the asset only to subscribers whose 
profiles match the target in information. 

2. The method of claim I further comprising the step 
of reporting to a user the delivery of the asset. 



7. The method of claim 6 further comprising the step 
of delivering compiled information on asset delivery 
to a user. 

30 

8. The method of any one of the preceding claims in 
which generating the profile of each subscriber 
comprises, for each subscriber, monitoring the 
viewing habits of the subscriber. 

35 

9. The method of claim 8 further comprising the step 
of storing an indication of a characteristic of the sub- 
scriber that is derived from the viewing habits of the 
subscriber. 

40 

10. The method of any one of the preceding claims in 
which the profile of each subscriber includes stored 
and real-time information identifying a realtime 
viewer. 

45 

11. A communication system for delivery of advertise- 
ments to subscribers, the system comprising: 

a communication network including an informa- 
tion manager and a source of advertisements; 
a set top box associated with each subscriber 
and each set top box being connected to the 
communication network; 
each set top box being configured to include a 
profiler containing profile information about the 
subscriber; 

each set top box being configured to include a 
targeter for receiving advertisement delivery re- 
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quests containing constraints, for delivering an 
advertisement to the subscriber when the con- 
straints match the profile information and for re- 
porting delivery of an advertisement by gener- 
ating an advertisement delivery notification; 
and 

a privacy manager interfacing between the set 
top box and the communication network, the 
privacy manager being configured to strip infor- 
mation identifying the subscriber from adver- 
tisement delivery notifications and forward in- 
formation on the delivery of the advertisement 
to the information manager. 

12. A method of delivering advertisements, the method 
comprising the steps of: 

forwarding a quote request from a buyer to a 
service provider, wherein the quote request 
contains a set of one or more constraints on the 
subscribers to be shown the advertisement; 
generating a cost estimate for the quote based 
on audience size, wherein the audience size is 
controlled by the set of constraints; 
returning the cost estimate to the buyer; and 
sending the advertisement for delivery to the 
subscribers defined by the set of constraints. 

13. The method of claim 1 2 in which the quote request 
is provided to multiple service providers and the 
multiple service providers each provide a response 
selected from the group consisting of a no quote re- 
sponse and a quote. 

14. The method of claim 12 or 13 in which whether an 
advertisement is shown to a subscriber is deter- 
mined by profile information describing the sub- 
scriber. 

15. The method of claim 14 in which the determination 
of whether to show an advertisement to a subscrib- 
er is carried out by a targeter at the subscriber 
premises. 

16. The method of any one of claims 12-15 in which ad- 
vertisement delivery statistics are generated and 
returned to the buyer. 

17. The method of claim 1 6 in which the advertisement 
delivery statistics returned to the buyer are anony- 
mous with respect to the subscriber. 



19. A method of broadcasting messages in a network 
composed of plural geographically distinct commu- 
nication nodes and plural subscriber set top boxes 
connected to some but not all of the communication 
5 nodes, the method comprising the steps of: 

generating a message containing fields identi- 
fying user specified communication nodes of 
the network; 

10 delivering the message to a first communica- 

tion node in the network; 
forwarding the message from the first commu- 
nication node in the network only to the user 
specified communication nodes; and 

15 forwarding the message from the user specified 

communication nodes to all subscribers set top 
boxes connected to the user specified commu- 
nication nodes. 

20 20. The method of claim 1 9 in which the message con- 
tains a set of one or more constraints and further 
comprising the steps of: 

broadcasting an advertisement to the plural 
25 subscriber set top boxes; and 

showing the advertisement only at subscriber 
premises at which the subscriber set top boxes 
have profiles that satisfy the set of constraints. 

30 21. The method of claim 20 in which delivery of the mes- 
sage is constrained by geographic constraints. 

22. A method of delivering advertisements to subscrib- 
ers to a network, the subscribers having subscriber 
35 sets, the method comprising the steps of: 

broadcasting an advertisement to plural sub- 
scriber sets in the network; and 
showing the advertisement only at subscriber 
40 sets that have corresponding profiles that sat- 

isfy a set of constraints associated with the ad- 
vertisement. 



45 



50 



18. The method of claim 1 7 in which each subscriber is 
connected to a service provider through a privacy 
manager that strips subscriber identification infor- 55 
mation from advertisement delivery information 
generated at the subscriber premises. 
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